Is Chrome letting malicious websites spy on your conversations?

Graham Cluley

Microphone A feature built into the popular Chrome web browser can be exploited to allow remote websites to secretly spy upon your conversations, and record everything that you say.

That’s a claim made by Israeli web developer Tal Ater in a blog post he published this week.

As the following video describes, all a malicious website has to do is trick you into enabling Chrome’s voice control feature for a legitimate purposes (such as dictation), and it can continue to secretly snoop upon your conversations even after you think you have long left the site.

The surveillance continues because the malicious website has opened a pop-under window, beneath your main browsing window and out of eyesight. If the pop-under window is disguised as an advert, victims may not realise that they have been potentially spied upon.

Chrome is supposed to display a flashing red dot in a page’s tab to signifying that a particular site is recording sound through the user’s microphone. However, from the above video it appears that the hidden pop-under window doesn’t display the visual reminder to the user.

Ater says that he told Google about the problem four months ago, he hasn’t received a bug bounty and a fix still hasn’t been rolled out to Chrome users.

And maybe we shouldn’t hold our breath for Google to properly resolve what seems to be a potentially serious security issue.

Gizmodo reports an official statement from Google that downplays the issue, and claims there is nothing wrong with Chrome:

The security of our users is a top priority, and this feature was designed with security and privacy in mind. We’ve re-investigated and this is not eligible for a reward, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C specification, and we continue to work on improvements.

Find out more about the vulnerability by visiting Tal Ater’s website.

What do you think? Do you think Chrome is endangering privacy by working in this way? Do you want Google to fix the “bug” or is it okay for them to leave it as-is? Leave a comment below and have your say.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.